
Covid-19
Many threat actors are leveraging the high level of global anxiety around the spread of the Coronavirus and are using it to gain initial access to their victim ictim’s network and launch their campaigns. The common factor among these campaigns is the use of social engineering techniques to manipulate their victims into trusting their malicious scams.
Notes
<p><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">On January 29, a malspam campaign started actively distributing Emotet payloads. Those emails were disguised as legitimate emails that warned the targets of coronavirus infection. The mails were sent from previously compromised addresses.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">At the end of January 2020, researchers identified malicious files that looked like documents related to the coronavirus. The malicious files came in the form of PDF, MP4, and DOCX files on the coronavirus. The name given to the documents suggested that they were video instructions on how to protect yourself from the virus, threat updates, and even virus detection procedures. In reality, these files contained several threats, including Trojans and worms.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">At the beginning of February 2020, a phishing campaign targeting US citizens was launched. The attackers impersonated the CDC and promised to provide a list of active infections in the surrounding area of the victim. They tried to trick their potential victims into clicking a link embedded in the message which leads to a credential phishing page.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">Another campaign launched around the same time targeted both US and UK citizens. These series of phishing emails asked the recipients to "go through the attached document on safety measures regarding the spreading of coronavirus." After downloading the attached PDF, it infects the victim’s computers with information-stealer malware.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">A campaign was discovered around February 10, 2020. The threat actors used technology to exploit the public’s need for medical information and led them to their fake pharmacy websites. They used comment spamming, an automatic technique that uses scripts or bots to inject specific content into comments on a site. The comments contained URLs linking to fake drug-selling businesses. </span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">Another campaign was discovered around the same time, conducted by cybercriminals from either Russia or another country in Eastern Europe. They focused on concerns around the potential effects that coronavirus may have on global shipping and sent messages that targeted industries such as manufacturing, finance, and transportation. The phishing email intended to lure victims to open an attached Microsoft Word document that installs the AZORult information stealer.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">On February 17, the World Health Organization (WHO) warned of ongoing coronavirus-themed phishing attacks that impersonate the organization with the end goal of stealing information and delivering malware. In one of those campaigns, the attackers use a phishing email as a lure that leads victims to a webpage that looks similar to the WHO website but contains a popup screen asking users to verify the username and password associated with their email address.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">Around that time, researchers reported a spike in the number of domains being registered related to coronavirus. They also noticed an increase in new phishing websites from Russia that claim to have details about the virus, how to prevent it, and other public health information.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">On February 25, South Korean researchers found malicious code disguised as a ‘Corona 19 real-time status.’ The malware is an executable program that disguises itself as a legitimate program designed to provide information relating to the spread of COVID-19 in South Korea.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">On February 27, a phishing campaign was launched, spreading the Remcos RAT. </span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">After setting up everything it needs for its malicious purposes, the RAT begins to log the user's keystrokes and store it within a log.dat file. The stolen information is then exfiltrated to its command and control server hosted at 66[.]154.98.108.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">The malware also gains persistence on the infected device by adding a Startup Registry key.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">On March 14, 2020, researchers first discovered a campaign distributing CoronaVirus Ransomware. To infiltrate the system, the threat actors created a phishing website pretending to promote WiseCleaner’s computer cleaning system. When the user downloads a file called ‘WSHSetup.exe’, the site attempts to download 7 files, including CoronaVirus ransomware and the KPOT information-stealing Trojan. </span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">To obtain a decryption tool, the threat actors demand 0.008 BTS (around $50). Based on the low ransom amount and the static bitcoin address, it is strongly suspected that this ransomware is being used as a cover for the KPOT infection rather than to generate actual ransom payments. </span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"><span style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;">Kpot is an information-stealing Trojan that emerged from Russian darknet forums. When executed, it will attempt to steal cookies and login credentials from the victim’s web browsers, messaging programs, VPNs, FTP and email accounts.</span><br style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: arial, sans-serif;"></p>
Mitigation
<p></p><p></p><p>Implement secure VPN and firewall management appliances </p><p>Secure your cloud environments and manage cloud-native security controls </p><p>Outline cyber risk management strategies to counteract COVID-19 and other cyberthreats</p><p><br></p> Email cybersecurity should also remain a top priority as a vast majority of cyber-attacks are initiated by an unsuspecting staff member clicking on a phishing email containing malware or a malicious link, which may appear to be COVID-19 related from a legitimate organization.<p></p><p><br></p><p><br></p>Virtual Private Networks (VPN) and cloud-based services are coming into widespread use as many organizations are encouraging staff to work remotely, if not directly needed for patient care. The use of encrypted VPNs and clouds services, although fairly secure, does not come without cyber risk. The referenced bulletins identify several critical VPN and cloud-based service vulnerabilities identified over recent months. These vulnerabilities are actively being exploited by cyber criminals and nation state actors. When using VPNs and cloud-based services we would encourage organizations to: <p></p><p> </p><p><br></p><p>Employ multi-factor authentication and lockout for multiple incorrect attempts </p><p>Limit and monitor international access </p><p>Set download limits Limit remote access to sensitive databases </p><p>Ensure all VPN and cloud-based services security patches are up to date</p>